This Privacy Policy explains how ZOLA CS DMCC (licensed in the Dubai Multi Commodities Centre free zone, registered at Unit No. 278, DMCC Business Centre, Level No. 1, Jewellery & Gemplex 3, Dubai, United Arab Emirates) — "Zola", "we", "us" — collects, uses, shares, and protects personal data when you visit our website, chat with our AI Assistant, register an account, or buy our business-setup and related services. We process personal data as a controller under the UAE Personal Data Protection Law, Federal Decree-Law No. 45 of 2021 (the "PDPL"). Capitalized terms such as "Services" and "Case" refer to the features described in our Terms & Conditions; their use in this Policy is descriptive only.
At a glance: We collect what we need to set up and run your UAE business services — your account details, your questionnaire answers, your documents, and your payment records. Our AI Assistant runs on Google Gemini, so chat messages are processed by Google in the United States; you consent to this separately, and you can withdraw that consent. We are legally required to share your information with freezone, government, and banking Authorities — they, not we, make the final decisions on your applications. UAE anti-money-laundering law requires us to keep compliance records for at least five years, even after you delete your account; deleting your account anonymizes your identity but does not erase those records early. You can access, correct, export, and (where the law allows) delete your data by contacting us through the contact form at zolagroup.com/contact or the in-app support channels. Our platform app uses only strictly necessary cookies; our marketing website (zolagroup.com) uses Google Analytics cookies to measure site usage — see our standalone Cookie Policy for details and opt-out options. We use no advertising trackers anywhere. Our services are for adults aged 18 or over. (This summary is for convenience only and is not part of this Policy.)
1. Controller & Contact
The controller of your personal data is:
| Controller | ZOLA CS DMCC |
| Registered address | Unit No. 278, DMCC Business Centre, Level No. 1, Jewellery & Gemplex 3, Dubai, United Arab Emirates |
| Privacy contact | Contact form at zolagroup.com/contact, or the in-app support channels |
Use the privacy contact above for anything in this Policy, including requests under Section 9 and complaints under Section 16. For general service questions, use the in-app support channels; legal notices can be sent in writing to our registered address.
2. Who This Policy Covers
This Policy applies to:
- Visitors — anyone who browses our website or uses the AI Assistant without an account, including through our chat widget embedded on third-party websites;
- Registered users — anyone who creates a Zola account, whether or not they buy anything;
- Clients — customers who purchase Services and have an active Case with us; and
- Third parties whose data a client gives us — designated contact persons, shareholders, directors, ultimate beneficial owners (UBOs), visa applicants, and other individuals whose details or documents (including passports) a client uploads or provides in connection with a Case.
If you give us personal data about someone else, you warrant that you have the authority to do so, and you must share this Policy with that person. We routinely receive passports and identity documents of people who are not the account holder; we treat their data with the same care and rights described here. A designated contact person on a Case receives Case emails, and the account owner receives a copy — by designating a contact person, the client consents to this sharing.
3. Data We Collect
We collect the following categories of personal data:
- Account data — email address, full name, phone number, country, password (stored only as a cryptographic hash, never in plain text), Google or LinkedIn sign-in identifiers if you use social login, and your profile photo if you upload one.
- Chat and questionnaire content — your messages with the AI Assistant (including anonymous sessions, which are stored and may be linked to your account if you later register), your questionnaire answers, and the proposals generated from them.
- KYC and case documents — passports, corporate documents, and other documents you upload in response to our requests, together with the structured "required information" answers you submit for each service.
- Payment data — order and invoice details, payment amounts and statuses, wire-transfer proof files you upload (including bank receipts, and the company and bank names you enter with them), and cryptocurrency transaction identifiers. We never collect or store your card number: card payments are handled entirely on Stripe's hosted checkout pages, and card data never enters our systems.
- Technical and security data — your IP address, device fingerprint, and browser user agent, which we store alongside your sign-in tokens to secure your sessions and detect stolen credentials; plus security and audit logs of actions taken on our platform, including an immutable log of every back-office action our staff take.
- Website analytics data — when you visit our marketing website (zolagroup.com), Google Analytics cookies collect online identifiers, device and browser information, and the pages you visit (see Section 13 and our Cookie Policy). The platform app itself (app.zolagroup.com) sets no analytics cookies.
- Communications — messages you exchange with our team in the in-case chat, support emails, and additional service requests you raise from within a Case.
4. Why We Process Your Data & Our Lawful Bases
The PDPL (Article 6) requires us to have a lawful basis for every processing purpose. Here is the map:
| Purpose | What we process | Lawful basis |
|---|---|---|
| Creating and managing your account; generating proposals for you by automated product matching computed from your questionnaire answers within our own systems (see Section 5); delivering the Services you buy; running your Cases; issuing invoices; communicating about your orders | Account data; questionnaire answers; case documents and required information; payment data; communications | Performance of a contract with you |
| Know-your-customer (KYC) and customer due diligence; UBO identification; sanctions and PEP screening; reporting to the UAE Financial Intelligence Unit and regulators where required; record-keeping under anti-money-laundering and tax law | KYC documents; identity data; ownership information; payment data | Compliance with our legal obligations |
| AI chat — the website welcome chat, the embedded chat widget, and the in-questionnaire assistant — including transmission of your messages and relevant questionnaire context to Google Gemini in the United States (see Section 5) | Chat content and, where you use the in-questionnaire assistant, questionnaire context | Your consent (a separate checkbox at registration; for anonymous visitors, the pre-chat confirmation described in Section 5 — withdrawable at any time) |
| Securing the platform: session management, fraud and abuse detection, stolen-token detection, access controls, audit logging | Technical and security data | Our legitimate interests in keeping the platform and your data safe |
| Measuring and improving our marketing website (zolagroup.com) using Google Analytics | Website analytics data — analytics cookie identifiers, device and browser information, pages visited (see Section 13 and the Cookie Policy) | Our legitimate interests in understanding how visitors use our marketing website — you can opt out at any time (Section 13) |
| Marketing communications, if you opt in | Email address; name | Your consent (separate, optional — withdrawable at any time) |
If you do not provide mandatory data, we cannot deliver the affected Service: we cannot open an account without an email address, and we cannot prepare or submit an application without the identity documents and information the relevant Authority requires. Where data is optional, we say so when we ask for it.
5. AI Processing (Google Gemini)
Our AI Assistant — including the website chat, the embedded chat widget, and the in-questionnaire explanation feature — is powered by Google Gemini, a generative AI service operated by Google. When you use it:
- Your chat messages, recent conversation history, and (where relevant) your questionnaire context are sent to Google for processing in the United States, under Google's API terms. See Section 7 on international transfers.
- Under Google's API terms as at the date of this Policy, Google may log inputs and outputs for a limited period (currently up to around 30 days for certain features) to monitor for abuse and misuse — not to train its general-purpose models.
- Responses may be generated by different versions of the Gemini model depending on availability.
No decision with legal effect on you is made solely by automated means. Proposals are not generated by Gemini: they are produced by automated product matching computed from your questionnaire answers entirely within our own systems, and they are informational starting points, not decisions. Every Case is handled by our human team, and all final decisions on licenses, visas, bank accounts, and registrations are made by the relevant Authorities — humans, not our software.
Processing by the AI Assistant rests on your consent. Registered users give it through a separate checkbox at registration. Anonymous visitors give it through an explicit confirmation step before their first message: the chat — which is clearly labeled as an AI system — displays a notice that messages are processed by Google Gemini in the United States, the chat starts only when you confirm, and we log that confirmation as your consent record. You may withdraw consent at any time through the contact channels in Section 1; withdrawal means the AI features will no longer be available to you, and it does not affect processing that happened before withdrawal. Please do not type passport numbers, payment details, passwords, health information, or other people's personal data into free-text chat — our structured upload flows exist for documents and are the right place for them (see clause 5 of our Terms & Conditions).
6. Who Receives Your Data
Processors — service providers acting on our instructions. We use a small set of named providers, each bound by a data-processing agreement. We remain responsible to you for their data-protection compliance:
| Provider | Role |
|---|---|
| Amazon Web Services (S3) | Cloud storage for uploaded documents, proofs, and deliverables |
| Gemini AI processing (Section 5), Google sign-in, and Google Analytics (GA4) usage analytics for our marketing website (see Section 13 and the Cookie Policy) | |
| LinkedIn sign-in | |
| Stripe | Card payment processing on Stripe-hosted checkout |
| ShKeeper | Cryptocurrency payment gateway |
| Email delivery provider | Sending transactional and service emails |
| Hosting and infrastructure providers | Servers, databases, caching, and background-job processing |
| Slack | Internal error logging — error reports may incidentally contain identifiers such as an email address or record reference |
Independent controllers — recipients who decide for themselves how they use your data:
- Freezone, government, and immigration Authorities — we submit your application data and documents to them to deliver the Services; they process it under their own rules.
- Banks — where you buy bank-account assistance, we share your data with the bank(s); their KYC requirements may exceed ours.
- The UAE Financial Intelligence Unit, law enforcement, and regulators — we disclose information where the law requires it. These disclosures are mandatory: they do not require your consent, and in some cases the law prohibits us from telling you they happened (see clause 26 of our Terms & Conditions).
- Introducers — if you reached us through a referral partner, that partner learns only that their referral registered or converted, for commission attribution. Introducers never receive your case data or documents.
We do not sell personal data, and we do not share it with advertisers. Google Analytics measures how our marketing website is used; it is not advertising, and we use no advertising trackers (Section 13).
7. International Transfers
Some of our processors — including Google (Gemini AI and Google Analytics), Stripe, AWS, and Slack — process data in the United States and other countries outside the UAE. We want to be straightforward about this: no adequacy decision covers the United States under the PDPL, so these transfers rely on contractual safeguards. In plain terms: each provider signs a data-processing agreement that contractually requires it to protect your data to a standard equivalent to UAE law (the PDPL and its Executive Regulations), using standard-contractual-clause-equivalent protections, and data is encrypted in transit and at rest. Submissions to UAE Authorities and banks (Section 6) stay within the UAE unless an Authority itself transfers data under its own legal framework.
8. How Long We Keep Your Data
| Data | Retention period | Why |
|---|---|---|
| KYC documents, case records, order, invoice, and payment records | At least 5 years after our relationship ends, then deleted or anonymized | UAE anti-money-laundering and tax law requires it |
| Chat and questionnaire data of visitors and users who never become clients | 24 months from last activity, then deleted | Long enough to serve returning prospects; no longer |
| Security and access logs (IP addresses, device records, sign-in history) | 12 months | Security investigation and fraud detection |
| Consent records (what you accepted, which version, when) | Duration of our relationship plus the applicable limitation period | Evidence of your consents and acceptances |
| Account profile data | Until you delete your account (Section 10), subject to the rows above | Operating your account |
Retention may be extended where a legal hold, investigation, or dispute requires it. When a retention period ends, we delete the data or irreversibly anonymize it.
9. Your Rights
Under the PDPL you have the right to:
- Access — receive a copy of your personal data and information about how we process it, free of charge once per year;
- Rectification — have inaccurate or incomplete data corrected (you can edit most account details yourself from your profile);
- Erasure — have your data deleted. Be aware of one important limit: UAE anti-money-laundering law obliges us to keep KYC, case, and payment records for at least 5 years after our relationship ends (Section 8). For that data, an erasure request cannot take effect until the legal retention period expires — we will tell you which data we must keep and delete the rest;
- Portability — receive the data you provided to us in a structured, machine-readable format. There is no self-service export button yet; we compile the export for you within the response window below;
- Objection and restriction — object to or restrict processing in the circumstances the PDPL provides, including processing based on legitimate interests;
- Withdraw consent — at any time, for any consent-based processing (AI chat, marketing). Withdrawal does not affect processing that already happened, and it does not stop processing we are legally required to perform.
Send requests through the contact form at zolagroup.com/contact or the in-app support channels (Section 1). We may need to verify your identity first. We respond within 30 days, extendable by a further 30 days for complex requests (we will tell you if we need the extension and why). Exercising these rights is free, except where requests are manifestly repetitive or excessive. If you are unhappy with our response, see Section 16.
10. Account Deletion Means Anonymization
You can delete your account at any time from your profile. Two preconditions apply, and the deletion screen checks them for you:
- No open Cases — no Case that is Pending Payment, Documents Requested, Documents Under Review, In Progress, or On Hold. Open engagements must finish or be cancelled under our Refund & Cancellation Policy first.
- No unpaid Orders — no Order in Draft or Issued status outstanding.
When you confirm deletion (by typing DELETE, plus your password if you have one), here is exactly what happens:
- Scrubbed permanently: your email address, phone number, full name, password, Google and LinkedIn sign-in identifiers, profile photo, referral attribution, and last sign-in record. All your active sessions are revoked, and the account can never be signed into or restored.
- Retained: your case, order, invoice, and payment records and the compliance documents you uploaded — because UAE law requires us to keep them for the period in Section 8. After that period expires, they are deleted or anonymized too.
In plain terms: deleting your account removes who you are from our live systems immediately, while the legally required record of what was done survives for the retention period, no longer. This is the deletion the law permits us to offer, and we believe describing it honestly serves you better than pretending otherwise.
11. How We Protect Your Data
No system is perfectly secure, and we do not promise that incidents can never happen — but here, factually, is what we have built:
- Encryption in transit (TLS) and at rest for stored data and documents.
- Passwords hashed with bcrypt — never stored or transmitted in plain text.
- Hardened sessions — sign-in cookies are httpOnly (unreadable by scripts), session tokens rotate on every refresh, and reuse of an old token is treated as a theft signal that automatically revokes the affected sessions.
- Content-validated uploads — every uploaded file is checked against its actual byte content, not just its file name, and files that fail validation are rejected.
- Time-limited document access — stored documents live in access-controlled cloud storage and are downloadable only through pre-signed links that expire.
- Role-scoped staff access with an immutable audit trail — our staff see only the data their role requires, and every back-office action is recorded in an audit log that cannot be edited.
- Rate limiting and platform hardening — request throttling, strict input validation, and standard browser security headers.
12. If Something Goes Wrong (Data Breaches)
If a personal data breach occurs that is likely to pose a risk to your privacy or rights, we will notify the UAE Data Office (ADISA) without undue delay — and within 72 hours of becoming aware of it — and will cooperate with its directions. Where the breach is likely to pose a high risk to you specifically, we will also notify you directly, describing what happened, what data was affected, and what practical steps you can take.
13. Cookies & Similar Technologies
We keep cookies to a minimum, and we use no advertising or marketing cookies anywhere. Full details — a complete cookie table, durations, and your controls — are in our standalone Cookie Policy, published at zolagroup.com/cookies. In summary:
- The platform app (app.zolagroup.com) sets strictly necessary cookies only: a sign-in cookie holding your refresh token — httpOnly, valid for up to 30 days — which keeps you logged in securely, and session cookies used by our staff back-office.
- Our marketing website (zolagroup.com) uses Google Analytics (GA4) cookies, provided by Google, to give us aggregated statistics about how visitors use the site. The
_gaand_ga_*cookies typically last about 2 years, with session identifiers that expire after about 24 hours. You can opt out at any time through your browser's cookie settings or the Google Analytics opt-out browser add-on. - Our chat widget embedded on third-party websites runs in an isolated frame and communicates through browser messaging; it does not set tracking cookies on the host site.
14. Marketing & Communications
We distinguish two kinds of email:
- Service communications — case updates, document requests, payment reminders, invoices, security alerts, and legal notices. These are part of delivering the Services. Your profile includes an email-notifications switch that turns off service-update emails (the in-app notification bell is unaffected) — but switching it off does not pause your Cases or deadlines, and you remain responsible for checking the platform; legally required communications such as security notices, amendment notices, and invoices may be delivered by email and in-app.
- Marketing communications — news and offers, sent only if you have separately opted in. Every marketing email includes an unsubscribe link, and you can withdraw consent at any time without affecting your Services.
15. Children
Our Services are for adults. You must be 18 or older to use the platform, and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us personal data, contact us through the channels in Section 1 and we will delete it.
16. Changes to This Policy & Complaints
Changes. This Policy is versioned (see the version number and effective date at the top). If we make material changes — new purposes, new categories of recipients, weaker rights — we will notify you by email and in-app before they take effect. Non-material clarifications take effect on posting. Earlier versions are available on request.
Complaints. If you have a concern about how we handle your data, please contact us first through the channels in Section 1 — we will investigate and respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the UAE Data Office (ADISA), the UAE's data protection authority, through its published channels. Complaining to us first is not a precondition of your right to go to ADISA, but it is usually the fastest way to a resolution.